Debian update for chromium-browser
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 12 |
| CVE-ID | CVE-2017-5111 CVE-2017-5112 CVE-2017-5113 CVE-2017-5114 CVE-2017-5115 CVE-2017-5116 CVE-2017-5117 CVE-2017-5118 CVE-2017-5119 CVE-2017-5120 CVE-2017-5121 CVE-2017-5122 |
| CWE-ID | CWE-416 CWE-122 CWE-119 CWE-843 CWE-200 CWE-300 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
Debian Linux Operating systems & Components / Operating system |
| Vendor | Debian |
Security Bulletin
This security bulletin contains information about 12 vulnerabilities.
1) Use-after-free error
EUVDB-ID: #VU8124
Risk: High
CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-5111
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to use-after-free error in PDFium. A remote attacker can trick the victim into visiting a specially crafted website, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability may result in system compromise.
Update the affected package to version: 61.0.3163.100-1~deb9u1, 61.0.3163.100-1
Vulnerable software versionsDebian Linux: All versions
External linkshttp://www.debian.org/security/2017/dsa-3985
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Heap-based buffer overflow
EUVDB-ID: #VU8125
Risk: High
CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-5112
CWE-ID:
CWE-122 - Heap-based Buffer Overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to heap-based buffer overflow in WebGL. A remote attacker can trick the victim into visiting a specially crafted website, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability may result in system compromise.
Update the affected package to version: 61.0.3163.100-1~deb9u1, 61.0.3163.100-1
Vulnerable software versionsDebian Linux: All versions
External linkshttp://www.debian.org/security/2017/dsa-3985
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Heap-based buffer overflow
EUVDB-ID: #VU8126
Risk: High
CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-5113
CWE-ID:
CWE-122 - Heap-based Buffer Overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to heap-based buffer overflow in Skia. A remote attacker can trick the victim into visiting a specially crafted website, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability may result in system compromise.
Update the affected package to version: 61.0.3163.100-1~deb9u1, 61.0.3163.100-1
Vulnerable software versionsDebian Linux: All versions
External linkshttp://www.debian.org/security/2017/dsa-3985
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Memory corruption
EUVDB-ID: #VU8127
Risk: High
CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-5114
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to memory lifecycle issue in PDFium. A remote attacker can trick the victim into visiting a specially crafted website, trigger memory corruption and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability may result in system compromise.
Update the affected package to version: 61.0.3163.100-1~deb9u1, 61.0.3163.100-1
Vulnerable software versionsDebian Linux: All versions
External linkshttp://www.debian.org/security/2017/dsa-3985
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Type confusion
EUVDB-ID: #VU8128
Risk: High
CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-5115
CWE-ID:
CWE-843 - Type confusion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to type confusion in V8. A remote attacker can trick the victim into visiting a specially crafted website and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability may result in system compromise.
Update the affected package to version: 61.0.3163.100-1~deb9u1, 61.0.3163.100-1
Vulnerable software versionsDebian Linux: All versions
External linkshttp://www.debian.org/security/2017/dsa-3985
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Type confusion
EUVDB-ID: #VU8129
Risk: High
CVSSv3.1: 8.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-5116
CWE-ID:
CWE-843 - Type confusion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to type confusion in V8. A remote attacker can trick the victim into visiting a specially crafted website and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability may result in system compromise.
Update the affected package to version: 61.0.3163.100-1~deb9u1, 61.0.3163.100-1
Vulnerable software versionsDebian Linux: All versions
External linkshttp://www.debian.org/security/2017/dsa-3985
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Information disclosure
EUVDB-ID: #VU8133
Risk: Low
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-5117
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to obtain potentially sensitive information.
The weakness exists due to use of uninitialized value in Skia. A remote attacker can trick the victim into visiting a specially crafted website and read arbitrary data from system memory.
Successful exploitation of the vulnerability results in information disclosure.
Update the affected package to version: 61.0.3163.100-1~deb9u1, 61.0.3163.100-1
Vulnerable software versionsDebian Linux: All versions
External linkshttp://www.debian.org/security/2017/dsa-3985
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
8) Security restrictions bypass
EUVDB-ID: #VU8135
Risk: Low
CVSSv3.1: 5.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-5118
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass security restrictions.
The weakness exists due to improper access control. A remote attacker can trick the victim into visiting a specially crafted website and bypass content security policy in Blink on the system.
Update the affected package to version: 61.0.3163.100-1~deb9u1, 61.0.3163.100-1
Vulnerable software versionsDebian Linux: All versions
External linkshttp://www.debian.org/security/2017/dsa-3985
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
9) Information disclosure
EUVDB-ID: #VU8134
Risk: Low
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-5119
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to obtain potentially sensitive information.
The weakness exists due to use of uninitialized value in Skia. A remote attacker can trick the victim into visiting a specially crafted website and read arbitrary data from system memory.
Successful exploitation of the vulnerability results in information disclosure.
Update the affected package to version: 61.0.3163.100-1~deb9u1, 61.0.3163.100-1
Vulnerable software versionsDebian Linux: All versions
External linkshttp://www.debian.org/security/2017/dsa-3985
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
10) Man-in-the-middle attack
EUVDB-ID: #VU8136
Risk: Low
CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-5120
CWE-ID:
CWE-300 - Channel Accessible by Non-Endpoint ('Man-in-the-Middle')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to conduct a man-in-the-middle attack.
The weakness exists due to potential HTTPS downgrade during redirect navigation. A remote attacker can trick the victim into visiting a specially crafted website and use man-in-the-middle techniques to read and modify arbitrary data on the system.
Update the affected package to version: 61.0.3163.100-1~deb9u1, 61.0.3163.100-1
Vulnerable software versionsDebian Linux: All versions
External linkshttp://www.debian.org/security/2017/dsa-3985
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
11) Buffer overflow
EUVDB-ID: #VU8590
Risk: High
CVSSv3.1: 8.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-5121
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to boundary error when processing web pages in V8. A remote unauthenticated attacker can create a specially crafted web page, trick the victim into opening and and trigger memory corruption.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationUpdate the affected package to version: 61.0.3163.100-1~deb9u1, 61.0.3163.100-1
Vulnerable software versionsDebian Linux: All versions
External linkshttp://www.debian.org/security/2017/dsa-3985
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
12) Buffer overflow
EUVDB-ID: #VU8591
Risk: High
CVSSv3.1: 8.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-5122
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to boundary error when processing web pages in V8. A remote unauthenticated attacker can create a specially crafted web page, trick the victim into opening and and trigger memory corruption.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationUpdate the affected package to version: 61.0.3163.100-1~deb9u1, 61.0.3163.100-1
Vulnerable software versionsDebian Linux: All versions
External linkshttp://www.debian.org/security/2017/dsa-3985
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
